InfoSecBulletin Cybersecurity for mankind
On April 15, 2025, Oracle released a Critical Patch Update for 378 flaws for its products. The patch update covers databases, middleware, cloud services, and communication applications essential for global financial institutions, telecom providers, and cloud-native platforms.
Key Highlights:
Microsoft Patches Four Critical Azure and Power Apps Vulns
Qilin Ransomware topped April 2025 with 45+ data leak disclosures
SonicWall Patches 3 Flaws in SMA 100 Devices
Top Ransomware Actively Attacking Financial Sector: 406 Incidents Disclosed
Critical (CVSS 10) Flaw in Cisco IOS XE WLCs Allows RRA
CVE-2025-29824
Play Ransomware Exploited Windows CVE-2025-29824 as Zero-Day
Hacker exploited Samsung MagicINFO 9 Server RCE flaw
CISA adds Langflow flaw to its KEV catalog
Google Fixes Android Flaw (CVE-2025-27363) Exploited by Attackers
UAP hosted “UAP Cyber Siege 2025”, A national level cybersecurity competition
Oracle Communications Applications had 42 new security updates, including 35 vulnerabilities that can be exploited remotely without authentication.
Oracle Commerce released 6 new patches, including five critical remote code execution vulnerabilities, like CVE-2025-24813 (CVSS 9.8), which impact Apache Tomcat in the Guided Search component.
Oracle Database Server received 7 new patches, including 3 that are remotely exploitable, like CVE-2025-30736, which affects Java VM.
Oracle GoldenGate and TimesTen In-Memory Database both had several serious vulnerabilities, including CVEs related to Axios, Apache Commons IO, and Netty.
Critical Vulnerability Statistics:
Total vulnerabilities addressed: 378
Unique CVEs fixed (excluding duplicates across products): 171
Remotely exploitable without authentication: 255 vulnerabilities
High-severity issues (CVSS v3.1 score ≥ 7.0): 162 vulnerabilities
CVSS ≥ 9.0 (Critical): 40 vulnerabilities
CVSS 9.8 (very high severity): 30 vulnerabilities
No CVSS 10.0 vulnerabilities were reported
The CPU affects a wide swath of Oracle offerings, including:
Oracle Database Server (versions 19.3–23.7)
Oracle Communications Suite (Unified Assurance, Messaging Server, Network Integrity)
Oracle GoldenGate, Graph Server, Essbase, Secure Backup
Oracle Java SE, Fusion Middleware, SOA Suite, WebLogic Server
Retail, Financial Services, E-Business Suite, PeopleSoft, and more
Oracle reiterates in its advisory that “attackers have been successful because targeted customers had failed to apply available Oracle patches.” The company urges users to remain on actively supported versions and apply the updates without delay.
Oracle advises organizations that are behind on patch cycles to upgrade to supported versions, as older versions likely contain vulnerabilities.
